WIXLIB

Organizations cannot afford to ignore any ofthe six major categories of supply chain riskA forward-thinking approach to effective supply chain risk management mustconsider all potential sources of disruption, whether frequent and relativelypredictable or rare and difficult to foresee. This is because the financialimpact to organizations of risk events is evenly spread across the sixcategories shown in the chart opposite.The average annual disruption cost, according to IT and IT securityrespondents, ranges from 42 million for financial issues – such as a keysupplier going bankrupt – to 37 million for environmental, social andgovernance (ESG) risks – for example, fines for breaching human rightslaws at a factory or service location.DATA DIVEThese similarities in cost impact highlight the fact that CISOs, IT leaders andtheir organizations must take each of these risk factors seriously and refrainfrom focusing on just one or two categories in isolation.Average Cost to Organization in MillionsFinance (e.g. liquidity, profitability,solvency)Operations (e.g. infrastructure,natural disasters, healthcarecapacity).55% 41Restrictions (e.g. denied persons,state sponsors of terrorism, financialsanctions) 40Geopolitical (e.g. political instability,economic inequality, political rights) 40Cyber (e.g. infrastructure, naturaldisasters, healthcare capacity)ESG - environmental (e.g. climatechange), governance (e.g.counterfiet exports), social (e.g.modern slavery)The average annual percentage of revenue lost dueto a category-specific supply chain disruption 42 39 37Q: In your estimation, what is the annual cost in revenue to your organizationas a result of supply chain disruption per category? n 750Confidential Interos Inc. All rights reserved.

Most organizations have experienced supplychain disruptions beyond their Tier 1 suppliersOrganizations need to focus beyond Tier 1 suppliers given that theoverwhelming majority (87%) of IT and IT security executivesreported supply chain disruptions occurring outside their direct supplybase. More than two-thirds (67%) reported being been impacted byrisk events below Tier 2 (their supplier’s suppliers).Where Disruptions Have Occurred1st tier15%2nd tier32%3rd and/or 4th tier50%5th and/or 6th tier37%7th and/or 8th tierWe have not been impacted bydisruptions in our supply chain14%3%5%Q: Disruptions in which of the following tiers of your organization’s supply chain haveimpacted your business operations? (Not showing all answer options); n 750Many risk events are therefore hidden from view. IT and IT securitymanagers may discover the issues only when their networks areattacked or product orders stop arriving on time.DATA DIVE9th tier and belowThis is a common gap for several reasons: First, becauseorganizations lack visibility into their sub-tiers, severely limiting theirability to stay ahead of disruption. Second, because Tier 1 partnersthemselves either lack information about potential disruptions furtherupstream or don’t share this data in a transparent and timely way.67%of organizations have experienced disruptionsbeyond Tiers 1 and 2 of their supply chainNote: This report uses the term “Tiers,” as opposed to “parties”. For the purposes of this report, a Tier 1supplier is the same as a 3rd party, a Tier 2 supplier is a 4th party, etc.Confidential Interos Inc. All rights reserved.

The majority of IT and IT security executives are confident theywould know about disruptive events at Tiers 1 and 2 onlyThe danger of being taken by surprise when disruptions happen – leaving little time to respond in a cost-efficient way – is underlined bythe fact that most survey participants are confident they would only be aware of the six risk events shown below if they originated in thefirst two tiers of their supply bases. Between one-fifth and one-third of IT and IT security leaders, depending on the event type, say theyonly have confidence at the Tier 1 supplier level. This leaves many organizations at the mercy of invisible supply chain shocks.41%32%31%26%25%20%26%7%2% 2% 1%A supplier suffers a cyber attack22%4%1%A supplier experiences dips inliquidity, profitability, solvency, orvaluation7%4%1%A supplier experiencesgeopolitical turmoil24%12%8%7%3%1%A supplier commits an 9%9%30%3%0%A supplier experiences anoperational disruption1%A supplier violates a prohibitionor restrictionI am totally confident my organization would be aware of this event happening in the 1st tier, but no furtherI am totally confident my organization would be aware of this event happening down to the 2nd tier, but no furtherI am totally confident my organization would be aware of this event happening down to the 3rd/4th tier, but no furtherI am totally confident my organization would be aware of this event happening down to the 5th/6th tier, but no furtherI am totally confident my organization would be aware of this event happening down to the 7th/8th tier, but no furtherI am totally confident my organization would be aware of this event happening down to the 9th tier and belowI am not confident my organization would be aware of this event happening at any tierQ: Down to which tier in your organization’s supply chain are you totally confident you would be aware of, should one of the following events happen? (Not showing all answer options); n 750Confidential Interos Inc. All rights reserved.

3Supply Chain Risk PracticesRequire Further Improvement

Organizations are not evaluating supplier riskin a significant minority of relationshipsIdentifying and assessing different types of supplier risk andunderstanding other factors such as the true value at risk in a givenscenario, or the availability of alternative sources, is critical to operationalresilience.56%of suppliers, on average, are evaluated aspart of an organization’s risk analysisRisk prioritization via segmenting suppliers by their value to theorganization is a pragmatic approach. However, it is concerning that ITand IT security leaders say that only just over half of suppliers (56%) aretypically evaluated during their risk analysis process.While a deeper level of analysis may be required for the most strategicand critical partners, it is necessary to assess a broader set of suppliersfor financial, cyber and other risks, both for compliance and operationalresilience reasons. Without this, firms leave themselves exposed.“Being able to make faster and more informed decisions allows us to reducesupplier risk.”– IT/Security Executive, Aerospace & Defense, FranceQ: What percentage of your organization’s suppliers are evaluatedfor risk as part of your organization’s risk analysis?; n 750Confidential Interos Inc. All rights reserved.

Geopolitical risk factors have more than doubledin importance since Russia invaded UkraineMost Important Risks When Evaluating SuppliersESG - environmental (e.g. climate change),governance (e.g. counterfiet exports), social(e.g. modern slavery)57%57%Geopolitical (e.g. political instability, economicinequality, political rights)56%26%2.2X52%Cyber (e.g. infrastructure, natural disasters,healthcare capacity)61%Operations (e.g. infrastructure, naturaldisaster, healthcare capacity)44%Restrictions (e.g. denied persons, statesponsors of terrorism, financial sanctions)42%45%53%42%Finance (e.g. liquidity, profitability, solvency)Post-invasionGeopolitical issues such as military conflict, social unrest, andterrorist attacks are often downplayed in supply chain risk analysis.Just prior to Russia’s invasion of Ukraine, for example, our surveyfound that a quarter of IT and IT security leaders (26%) prioritizedsuch considerations in their supplier evaluations. Asked the samequestion a few weeks into the war, however, and that figure hadmore than doubled to over half of the sample (56%).The war in Ukraine demonstrates how quickly conflict can disruptfragile global supply chains, especially those that are heavilydependent on another country. The ongoing U.S.-China trade warand the threat of a Chinese invasion of Taiwan – the dominantplayer in semiconductor manufacturing – are other examples ofmajor geopolitical issues that must be factored into supply chainrisk management efforts.57%Pre-invasionQ: Which of the following factors are most important to your organization when evaluatingstrategic partners/suppliers? (Combination of responses ranked first, second and third, notshowing all answer options); Before n 750, After n 84Organizations that fail to take sufficient account of geopolitical risksamong suppliers ahead of time are left scrambling to respond tosudden supply shortages, logistical problems, cost increases andgovernment restrictions.Confidential Interos Inc. All rights reserved.

Only 11% of organizations say they monitorsupplier risks on a continuous basisHow Often Supplier Risk is MonitoredThe frequency with which organizations monitor risk across their supplychains is also critical. Only slightly more than 1 in 10 IT and IT securityrespondents said they “continuously” monitor supplier risks, with almostthree-quarters doing this on a weekly, monthly or quarterly basis.AnnuallyAd hoc/when aproblem arisesContinuouslyEvery six months2%6% 2%With so many potential sources of disruption across an extended globalsupply network, there can be significant benefits to those with real-time,near-real-time or at least daily warnings of supplier risk events.11%WeeklyQuarterlyFor organizations seeking to improve their ability to protect themselvesagainst vulnerabilities in their supply chains, moving from a periodic to acontinuous monitoring strategy should be high on the priority list.18%26%“To ensure our resilience, we have set up with our suppliers and partnersalert modules which, over time, will allow real-time monitoring of political,climatic, economic, technological and social risks.”35%Monthly– IT/Security Executive, Financial Services, FranceQ: How frequently is your organization monitoring supplier risk as part of your organization’srisk analysis?; n 744 [Shown to respondents who said their organization evaluates suppliersas part of their risk analysis]Confidential Interos Inc. All rights reserved.

4The Role of Technology inManaging Risk Proactively

Technology enables organizations to mitigate supplychain risk and gain a competitive advantageBenefits of Supply Chain Risk SolutionsAll 750 IT and IT security executive survey respondents felt there were clearbenefits to be gained by investing in software solutions for supply chain riskmanagement.Chief among these benefits is the ability to analyze and mitigate risk throughenhanced access to data and information. More than half of CISOs and ITleaders also saw opportunities to gain competitive advantage over rivals, inaddition to limiting the negative impact from supply chain disruptions.Greater Ability to analyze/mitigate risk58%Competitive advantage over rivalorganizations54%Visibility across many different types ofevents44%Lower costs (e.g. downtime, costs torevenue, etc.)43%Reducing extra costs associated with such disruptions and improving visibilityacross different types of risk events via continuous monitoring were alsoidentified as benefits by a substantial minority of IT and IT security leaders.Reduced reputational damage27%“Disruption is the new normal, so we have to move with it. We areimplementing digital technologies to improve our supply chain planning.”There are no benefits to investing insupply chain solutions– IT/Security Executive, Aerospace & Defense, France0%Q: In your opinion, what are/would be the greatest benefits to yourorganization investing in a supply chain solution that can analyze risk acrossmultiple categories? (Not showing all answer options); n 750Confidential Interos Inc. All rights reserved.

Less than a fifth use intelligent supply chain visibilitysolutions – but most plan to implement them soonUse of Supply Chain Visibility TechnologyWe already have technology in place todo this18%We already have technology, and arecurrently in the process of implementing it53%We do not have technology in place, buthave plans to introduce it within the next 6monthsWe do not have the technology in place,but have plans to introduce it within thenext 6-12 monthsWe do not have the technology in place,but have plans to introduce it beyond thenext 12 monthsWe do not have the technology in place,and have no plans to introduce itUnderstanding the interdependencies between an organization andits suppliers at different tiers is essential because many supplychain disruptions originate among indirect suppliers (those at Tier 2and even further upstream).22%5%2%1%Q: Does your organization plan on leveraging automated/intelligent solutions to gainvisibility into interdependencies into your supply chain? (Not showing all answeroptions); n 750Without this level of visibility, IT and IT security managers cannotmake informed decisions about where and how to mitigate potentialsources of supplier risk.Supply chain visibility is a big data problem that requires a big datasolution.While less than one-fifth of CISOs and IT executives say theyalready use intelligent and automated technology to gain visibility ofsupplier interdependencies, 80% say they are implementing it orplan to introduce it within 12 months.“Through AI and big data, our whole supply chain will operate moreefficiently and allow us to anticipate problems before they happen.”– IT/Security Executive, Aerospace & Defense, CanadaConfidential Interos Inc. All rights reserved.

Most would happily partner with a solution providerthat offers broad visibility of supply chain risks“We are employing AI to enhance our resilience. It improves visibility and thepace at which we can react.”84%– IT/Security Executive, Aerospace & Defense, U.S.would value a partnership with a vendorthat gives supply chain risk visibility to allrelevant departmentsThe importance of having multi-tier supply chain visibility and the needfor advanced technologies to obtain it highlights the crucial role thatsolution providers play in helping organizations to improve their supplychain risk management practices and build greater resilience.DATA DIVEThis fact explains why the vast majority of IT and IT securityexecutives across all geographic regions and industry sectors coveredin our survey agree that they would value a partnership with a vendorthat can deliver visibility of supply chain risks to all relevant functionsand stakeholders within their organizations.80%plan to introduce technology to gain visibility of supplychain interdependencies in the next 12 monthsQ: To what extent do you agree or disagree with the followingstatement? “My organization would value a partnership with a vendorwho helps give us visibility over supply chain risks, to all relevantdepartments”; n 629 who “strongly agree” or “somewhat agree”Confidential Interos Inc. All rights reserved.

5Operational Resilience is aMultiplayer Game

Collective responsibility is key to help organizationsreduce their exposure to supply chain shocks“We have increased communication with our close suppliers andpartners to find out the possibilities of disruptions happening, andgetting a head start when they do happen.”81%– IT/Security Executive, IT & Technology, UKsay cooperation across internal departmentsand with suppliers is vital to protect againstdisruptionsInteros defines operational resilience as “the ability to continueproviding products or services in the face of adverse market or supplychain events. An operationally resilient organization manages risk in astrategic and proactive way to prevent, respond to and recover quicklyfrom disruptions that could impact its customers, brand reputation orfinancial performance; and to seize new business opportunities.”Achieving operational resilience is not, however, something that oneorganization can do on its own; it requires collective responsibility andan ecosystem-wide approach. This is recognized in the finding thatover 8 out of 10 IT and IT security executives agree that workingcollaboratively across internal functions and with key suppliers andother external partners is critical if they are to equip their organizationsto respond effectively in the face of constant and significant supplychain disruptions.Q: To what extent do you agree or disagree with the following statement?“Collective responsibility (e.g. across departments/suppliers/partners) is critical tohelp ensure my organization is best protected against supply chain disruptions”;n 605 who “strongly agree” or “somewhat agree”Confidential Interos Inc. All rights reserved.

Better internal collaboration and information sharingis needed to manage supply chain risk effectively78%agree they need to improve how theycollaborate and share informationinternally across departmentsTo build and maintain resiliency in your business, you must minimizethe downside while maintaining the ability to act on opportunities thatmay present themselves.”– IT/Security Executive, Pharmaceuticals, IrelandCollective responsibility for supply chain risk starts within the fourwalls of an organization. Without effective cross-functionalinformation sharing and collaboration, it is difficult to align interests,develop processes, and mitigate risks jointly with external suppliersand other partners.Almost four-fifths of IT and IT security executives agree they need toimprove how they collaborate and share information betweendepartments.Q: To what extent do you agree or disagree with the following statement? “Myorganization needs to improve how we collaborate/share information internally(e.g. across departments) when it comes to supply chain risk”; n 582 who“strongly agree” or “somewhat agree”In the case of cyber threats that means organizations require closecooperation between procurement, IT security and supply chainmanagers to identify and plug vulnerabilities at suppliers with accessto their systems and networks.Confidential Interos Inc. All rights reserved.

An overwhelming majority accept their organizationsmust improve external collaboration with suppliers“Joint cooperation is vital. All parties in the supply chain should know whatis expected from them. We can assist the lower tiers in providing knowledge,expertise and help them (part financially) to invest in the latest technology.”79%– IT/Security Executive, Aerospace & Defense, U.S.agree they need to improve how theycollaborate and share information externallywith suppliers/partnersOperational resilience is a multiplayer game; it requires the supportand cooperation of suppliers and strategic partners throughout thesupply chain. Again, an overwhelming majority of CISOs and ITleaders agreed that they need to do a better job of externalengagement when it comes to building operational resilience.Supplier collaboration in risk management is vital for several reasons.First, because trust-based relationships are essential if suppliers areto share sensitive data about their own supply chains and risks thatmay impact efficient operations. Second, because business continuityand contingency plan

upon rigorous research principles and their ability to seek the opinions of senior decision makers across technical and business functions, in all business sectors and all major markets. For more information, visit www.vansonbourne.com. Role 200 150 150 150 100 US UK and Ireland DACH France Canada 150 150 150 150 150 Aerospace and defense